Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between HealthSquire("Processor" or "we") and the healthcare facility or organization using our platform ("Controller" or "you") for the processing of Personal Data.

This DPA supplements our Terms of Service and Privacy Policy, and applies to all processing of Personal Data by HealthSquire on behalf of the Controller in connection with the provision of our healthcare staffing marketplace services (including shifts, travel, remote work, jobs, continuing education, shift-to-hire, and enterprise features).

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person, including names, contact information, professional credentials, employment data, and any other data defined as personal data, personal information, or personally identifiable information under applicable Data Protection Laws.
• "Protected Health Information" (PHI) means individually identifiable health information as defined under HIPAA, including demographic data that relates to past, present, or future health conditions, healthcare provision, or payment for healthcare.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, combination, restriction, erasure, or destruction.
• "Data Protection Laws" means all applicable privacy and data protection laws, including HIPAA, CCPA/CPRA, VCDPA, CPA, CTDPA, and any other applicable state or federal data protection legislation.
• "Sub-processor" means any third party engaged by HealthSquire to process Personal Data on behalf of the Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

3. Scope and Purpose of Processing

3.1 Subject Matter

HealthSquire processes Personal Data in connection with the provision of healthcare staffing marketplace services, including shift matching, credential verification, payment processing, communication facilitation, and compliance management.

3.2 Categories of Data Subjects

• Healthcare professionals (nurses, therapists, and other clinicians)
• Facility administrators and authorized representatives
• Patients (limited to incidental PHI exposure during shift assignments)

3.3 Types of Personal Data

• Identity data (name, date of birth, government-issued ID numbers)
• Contact data (email, phone, address)
• Professional data (license numbers, certifications, work history, specialties)
• Financial data (payment information, bank details for payouts, tax IDs)
• Employment data (shift records, ratings, performance metrics)
• Technical data (IP addresses, device identifiers, usage logs)
• Background check results and compliance records
• Protected Health Information (as governed separately by our BAA)

3.4 Duration of Processing

Processing continues for the duration of the service agreement between the parties, plus any legally required retention periods as described in Section 9.

4. Obligations of the Processor

HealthSquire shall:

• Process Personal Data only on documented instructions from the Controller, unless required by law to do otherwise
• Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality
• Implement appropriate technical and organizational security measures as described in Section 6
• Respect the conditions for engaging Sub-processors as set out in Section 7
• Assist the Controller in responding to data subject requests (access, correction, deletion, portability) within the timeframes required by applicable law
• Assist the Controller in ensuring compliance with data breach notification obligations
• At the Controller's choice, delete or return all Personal Data after the end of the provision of services, unless retention is required by applicable law
• Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits as described in Section 8

5. Obligations of the Controller

The Controller shall:

• Ensure it has a lawful basis for the processing of Personal Data and has provided all necessary notices and obtained all necessary consents
• Ensure that its instructions to HealthSquire comply with applicable Data Protection Laws
• Maintain appropriate security measures for any Personal Data within its own systems
• Promptly notify HealthSquire of any data subject requests received directly that relate to processing performed by HealthSquire
• Comply with all applicable HIPAA requirements as a Covered Entity

6. Security Measures

HealthSquire implements and maintains the following technical and organizational measures to protect Personal Data:

6.1 Technical Measures

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Multi-factor authentication for all administrative and sensitive operations
• Role-based access control (RBAC) with least-privilege principles
• Automated vulnerability scanning and penetration testing
• Web application firewall (WAF) and DDoS protection
• Automated backup and disaster recovery systems
• Comprehensive audit logging of all data access and modifications
• Secure software development lifecycle (SDLC) practices

6.2 Organizational Measures

• Designated Data Protection Officer and HIPAA Security Officer
• Mandatory privacy and security training for all employees
• Background checks for employees with access to Personal Data
• Incident response plan with defined roles and escalation procedures
• Regular security awareness training and phishing simulations
• Written information security policies reviewed and updated annually
• Vendor security assessments for all Sub-processors

7. Sub-processors

7.1 Authorized Sub-processors

The Controller provides general authorization for HealthSquire to engage Sub-processors. The current list of Sub-processors is as follows:

The complete list of sub-processors, including company names, registered addresses, and individual data processing agreements, is available to enterprise customers upon request. Contact us via our contact form for full sub-processor documentation.

7.2 Changes to Sub-processors

HealthSquire will notify the Controller at least 30 days before engaging any new Sub-processor or making changes to existing Sub-processor arrangements. The Controller may object to the new Sub-processor by providing written notice within 14 days of receiving such notification. If the Controller objects, the parties will work in good faith to find an alternative solution.

7.3 Sub-processor Obligations

HealthSquire ensures that each Sub-processor is bound by data protection obligations no less protective than those set out in this DPA, including appropriate security measures and confidentiality commitments.

8. Audits

HealthSquire shall make available to the Controller, upon reasonable request and subject to confidentiality obligations:

• SOC 2 Type II audit reports (available upon NDA execution)
• Summaries of penetration test results
• Evidence of HIPAA compliance measures
• Documentation of security policies and procedures

The Controller may conduct or commission an audit of HealthSquire's processing activities no more than once per year, with at least 30 days' prior written notice, during normal business hours, and subject to reasonable confidentiality restrictions. The Controller shall bear the costs of any such audit.

9. Data Retention and Deletion

HealthSquire retains Personal Data according to the following schedule:

Upon termination of services, HealthSquire will delete or return all Personal Data within 90 days, except where retention is required by applicable law. The Controller may request data export in a structured, machine-readable format prior to account termination.

10. Data Breach Response

In the event of a Data Breach affecting Personal Data processed on behalf of the Controller, HealthSquire shall:

• Notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach
• Provide sufficient information to enable the Controller to meet its own notification obligations, including:
  • Nature of the breach and categories of data affected
  • Approximate number of data subjects and records affected
  • Likely consequences of the breach
  • Measures taken or proposed to mitigate the breach
• Cooperate with the Controller in investigating and remediating the breach
• Maintain detailed records of all Data Breaches and remediation actions
• For breaches involving PHI, comply with the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414)

11. Cross-Border Data Transfers

All Personal Data is currently processed within the United States. If HealthSquireneeds to transfer Personal Data outside the United States in the future, it will:

• Notify the Controller in advance of any proposed cross-border transfer
• Ensure appropriate safeguards are in place (such as Standard Contractual Clauses or equivalent mechanisms)
• Comply with all applicable data transfer requirements under Data Protection Laws

12. Relationship to BAA

Where HealthSquire processes PHI on behalf of a Covered Entity, this DPA operates alongside the Business Associate Agreement (BAA). In the event of a conflict between this DPA and the BAA regarding PHI, the BAA shall prevail to the extent of the inconsistency.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of Data Protection Laws where such limitation is prohibited by applicable law.

14. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the State of California, United States, without regard to conflict of law principles.

15. Contact Information

For questions about this DPA or to request a signed copy: